Practice Management Alert

Liquidating assets won't keep the feds off your tail once they've caught your scent.

If you weren't already worried about how your practice handles protected health information (PHI), learn from the mistakes and misdeeds of Illinois storage business Filefax Inc.

The U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) put out a press release warning that anyone handling PHI, including physician's offices, storage vendors, and other covered entities, is subject to the full consequences of a Health Insurance Portability and Accountability Act (HIPAA) violation-up to and including beyond your business's viability or lifespan.

After liquidating the assets of Filefax Inc., the appointed receiver agreed to pay $100,000 out of the estate to settle violations of the HIPAA Privacy Rule. Filefax Inc. advertised its provision of storage, maintenance, and delivery of medical records for covered entities, according to the OCR press release.

OCR opened an investigation after an anonymous tipster alleged that someone transported Filefax medical records to a shredding and recycling facility in order to sell them. OCR found evidence of 2,150 patients' medical records - records containing PHI - at the shredding and recycling facility and in an unlocked truck in the Filefax parking lot. OCR's investigation indicated that Filefax had granted permission to an unauthorized person to remove the PHI from Filefax, who left the PHI unsecured outside the Filefax facility, according to the press release.

Though Filefax shuttered during the investigation, it was still held to the consequences of violating the HIPAA Privacy Rule. "In 2016, a court in unrelated litigation appointed a receiver to liquidate its assets for distribution to creditors and others," according to the press release. "In addition to a $100,000 monetary settlement, the receiver has agreed, on behalf of Filefax, to properly store and dispose of remaining medical records found at Filefax's facility in compliance with HIPAA."

"The careless handling of PHI is never acceptable," said Roger Severino, director at OCR. "Covered entities and business associates need to be aware that OCR is committed to enforcing HIPAA regardless of whether a covered entity is opening its doors or closing them. HIPAA still applies."

See reader question and Practice Management Alert answer on page 29 on the top three strategies for safely storing and accessing PHI.

Resource: If you want to find out more about nondiscrimination and health information privacy laws, civil rights, and your privacy rights in healthcare and human service settings, you can find more information or learn how to file a complaint here: http://www.hhs.gov/hipaa/index.html.